Three of this month's bulletins (MS09-063, -064 and -066) address vulnerabilities that attackers could use to send packets across the network at their intended targets and remotely take control of the systems or cause the systems to stop responding. In most environments, these attacks would need to originate from the LAN to be successful.
The remaining three bulletins discuss security issues that can be exploited when a user visits a malicious webpage or opens a malformed Office document.
Microsoft recommended that the following three patches be installed immediately.
MS09-063 is a critical patch for Windows Vista and Windows Server 2008. It addresses a flaw in a system service that was first made available in Windows Vista. This is one of the few vulnerabilities found in new code written specifically for newer operating systems.
To exploit this vulnerability, an attacker would send special packets to TCP Port 5357 or Port 5358 on an unpatched computer. No authentication is required -- anyone on the network can send these packets. Once the packets are received, they could take full control of the computer. Fortunately, this attack is limited to the LAN -- attackers on remote networks won't have access to enough information to successfully execute this attack.
This patch should be applied right away to Vista desktops and Windows Server 2008 servers.
MS09-064 is another remotely exploitable critical vulnerability. In this case, the License Logging Service on Windows 2000 servers is vulnerable. An attacker can send special packets to the RPC ports (TCP 135, 139, 445) on the Windows 2000 Server running the License Logging Service. Once the packets are received, they can enable an attacker to take complete control of the server.
This attack would most likely be launched from the inside of the corporate network because the requisite Remote Procedure Call ports are usually blocked at the corporate firewall. To protect Windows 2000 servers, install the patch or disable the License Logging Service.
Security patch MS09-066 discusses a potential denial-of-service condition that can be launched against Active Directory domain controllers. Since domain controllers manage so many functions across the network, including user authentication, a denial-of-service attack could seriously disrupt access to -- and activities on -- the corporate network.
The attacker can instigate the denial of service by sending packets to the Lightweight Directory Access Protocol or Global Catalog ports (TCP 389, 636, 3268, or 3269). The attacker would need to establish some level of domain authentication in order to execute this attack against Windows Server 2003 and 2008 systems. No authentication is required to attack Windows 2000 Active Directory servers.
According to Microsoft, exploit code has not been released (yet) for this attack; however, you should apply this patch to your Active Directory servers as soon as possible.
This patch replaces MS09-018, which was released in June 2009.
More November patches
The following three patches should be installed at the next convenient update time. MS09-065 is another critical vulnerability that could enable an attacker to take complete control of a local desktop or server. The flaw exists in the Windows kernel on all operating systems except Windows 7 and Windows Server 2008 R2.
For Windows 2000, Windows XP and Windows Server 2003 systems, an attacker could take complete control of a system after a user views a malicious webpage or opens an evil Office document (for an application such as Word or PowerPoint). Install this patch immediately on all older operating systems.
A second flaw that exists on all of the affected operating systems could allow a logged-on user account to execute code with administrative privileges. This could allow nonadministrators to become administrators on their systems. Since this vulnerability can only be executed by users running code on their locally logged-in systems, the threat of attack from remote users is extremely limited.
This patch should be installed on all systems that have been configured for users to run under nonadministrative accounts, particularly those that end users are using to browse the Web or open Office documents. Also install this patch on Terminal Servers so that users don't get Admin functionality.
This patch replaces MS09-025, which was released in June 2009.
Security bulletins MS09-067 and MS09-068 address security flaws in Microsoft Excel (all versions) and Microsoft Word (Word 2002 and 2003) that could allow an attacker to execute code on a user's computer if that user opens a malicious Office document. The attacker's code would execute with the same level of permission as the currently logged-on user.
These two patches replace previously released patches MS09-021 and MS09-027 from June 2009, which addressed similar security vulnerabilities. Installing these latest patches should protect your desktops from both the current issues as well as the previously discussed security vulnerabilities.
|ABOUT THE AUTHOR:|
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, he worked for Microsoft, where he helped manage the security bulletin and patch release process. Eric likes to forget that he used to work as an internal auditor on Wall Street.